Documente Academic
Documente Profesional
Documente Cultură
(UTM)
Study Guide
for NSE 1: February 1
2016
Unified
Threat
Management
(UTM)
This Study Guide is designed to provide information for the Fortinet Fortinet
Network Security Expert Program – Level 1 curriculum. The study guide
presents discussions on concepts and equipment necessary as a
Network
foundational understanding for modern network security prior to taking Security
more advanced and focused NSE program levels.
Solutions
i
Study Guide for NSE 1: Unified Threat Management 2016
(UTM)
Contents
Figures............................................................................................................................................... iii
Unified Threat Management (UTM) ......................................................................................................... 1
The Key to UTM: Consolidation ........................................................................................................ 1
UTM Features ...................................................................................................................................... 2
UTM Distributed Enterprise Advanced Features ............................................................................... 3
Extended UTM Features ...................................................................................................................... 5
Evolving UTM Features .................................................................................................................... 5
UTM Functions .................................................................................................................................... 8
Where UTM Fits In… ............................................................................................................................ 9
UTM: Scalable Deployment ............................................................................................................ 10
Summary ........................................................................................................................................... 12
Key Acronyms........................................................................................................................................ 13
Glossary ................................................................................................................................................ 15
References ............................................................................................................................................ 16
ii
Study Guide for NSE 1: Unified Threat Management 2016
(UTM)
Figures
Figure 1. Legacy network security add-ons vs. UTM architecture ............................................................. 1
Figure 2. Unified Threat Management (UTM). ......................................................................................... 2
Figure 3. LAN control. .............................................................................................................................. 6
Figure 4. Typical Power over Ethernet (POE) cable configuration. ............................................................ 7
Figure 5. UTM scalability........................................................................................................................ 10
Figure 6. Fortinet’s concept of “Connected UTM.” ................................................................................. 11
iii
Study Guide for NSE 1: Unified Threat Management 2016
(UTM)
UTM provides administrators the ability to monitor and manage multiple, complex security-related
applications and infrastructure components through a single management console. Because UTM is
designed as an integrated solution, it does not suffer the problems of network address translation,
overheating, or throughput difficulties caused by activating multiple security services in legacy systems.
1
Study Guide for NSE 1: Unified Threat Management 2016
(UTM)
UTM Features
UTMs are generally acquired as either cloud services or network appliances, and integrate firewall,
intrusion detection system (IDS), anti-malware, spam and content filtering, and VPN capabilities
(Figure 2). These can be installed and updated as necessary to keep pace with emerging threats.[1]
Firewall. The most basic, necessary, and deployed network security technology, which uses sets or rules
or policies to determine which traffic is allowed into or out of a system or network. UTM builds on this
foundation to integrate—rather than add on—enhanced security capabilities.[2]
Intrusion Detection System (IDS). IDS is capable of detecting potential threats to the network, but does
not react by sending a message to the firewall to block the threat.[2] IDS is an integrated feature in
Intrusion Prevention System (IPS).
2
Study Guide for NSE 1: Unified Threat Management 2016
(UTM)
Antispam. This is a module that detects and removes unwanted email (spam) messages by applying
verification criteria to determine if the email fits defined parameters as spam traffic. Anti-spam filtering
can block many Web 2.0 threats like bots, many of which arrive in your users’ e-mail boxes. Multiple
anti-spam technologies incorporated into UTM detects threats through a variety of techniques [3].These
parameters may be as simple as a list of senders identified by a user or comparison against databases of
known bad messages and spam server addresses[2].
Content filtering. These devices block traffic to and/or from a network by IP address, domain
name/URL, type of content (for example, “adult content” or “file sharing”), or payload. They maintain a
whitelist of trusted sites and a blacklist of forbidden sites to prevent users from violating acceptable use
policies or being exposed to malicious content. [3]
VPN. A Virtual Private Network (VPN) uses special protocols to move packets of information across the
Internet securely. In general, VPN protocols encrypt traffic going from sender to receiver. This makes
such traffic appear completely garbled to anyone that might intercept and examine those packets while
they’re on the Internet. VPNs use encryption to protect the traffic they carry from unauthorized access.
Because the VPN packets wrap the encrypted data inside a new protocol envelope — a technique
known as encapsulation — a VPN creates a private, encrypted “tunnel” through the Internet. [3]
Access (Application) control. Application control can identify and control applications, software
programs, network services, and protocols. In order to protect networks against the latest web-based
threats, application control should be able to detect and control Web 2.0 apps like YouTube, Facebook,
and Twitter. Enterprise-class app control provides granular policy control, letting you allow or block
apps based on vendor, app behavior, and type of technology. For example, you can block specific sites,
block only your users’ ability to follow links or download files from sites, or block games but allow chat.
Another feature of application control is the ability to enforce identity-based policies on users. The UTM
system tracks user names, IP addresses, and Active Directory user groups. When a user logs on and tries
to access network resources, UTM applies a firewall policy based on the requested application or
destination. Access is allowed only if the user belongs to one of the permitted user groups.
3
Study Guide for NSE 1: Unified Threat Management 2016
(UTM)
Load balancing. Load balancing distributes traffic and routes content across multiple web servers. This
load balancing increases application performance, improves resource utilization and application stability
while reducing server response times. With data compression and independent SSL encryption
processor, this capability increases further transaction throughput and reduce processing requirements
from web servers, providing additional acceleration for web application traffic.
Intrusion Prevention System (IPS). An IPS acts as a network’s watchdog, looking for patterns of network
traffic and activity, and records events that may affect security. An IPS issues alarms or alerts for
administrators, and is able to block unwanted traffic. IPS also routinely log information as events occur,
so they can provide information to better handle threats in the future, or provide evidence for possible
legal action[3]. IPS is the best way to detect threats trying to exploit network vulnerabilities.
Quality of Service (QoS). QoS refers to a network’s ability to achieve maximum bandwidth and deal with
other network performance elements like latency, error rate and uptime. Quality of service also involves
controlling and managing network resources by setting priorities for specific types of data (video, audio,
files) on the network. QoS is exclusively applied to network traffic generated for video on demand, IPTV,
VoIP, streaming media, videoconferencing and online gaming. [4]
SSL/SSH inspection. This provides the ability to inspect content encrypted by applications using Secure
Socket Layer (SSL) cryptologic technique, in which it performs a “man-in-the-middle” takeover of the SSL
traffic. This allows other inspections to be applied such as DLP, web filtering, and antivirus/malware.
Some popular SSL protocols are HTTPS, FTPS, and mail protocols SMTPS, POP3S, and IMAPS.[2]
Application awareness. Web Application Security solutions provide specialized, layered application
threat protection for medium and large enterprises, application service providers, and SaaS providers.
FortiWeb application firewalls protect your web-based applications and internet-facing data. Automated
protection and layered security protects web applications from layer 7 DDoS and more sophisticated
attacks such as SQL Injection, Cross Site Scripting attacks, and data loss. The Web Vulnerability
Assessment module adds scanning capabilities to provide a comprehensive solution to meet your PCI
DSS section 6.6 requirements.
Tradeoffs. The main advantage to UTM is reducing operational complexity. In particular, reducing
operational complexity for network administrators increases the likelihood that they will use the
available protection features to optimize network security. However, while simplification presents the
advantage of security optimization by administrator, the main drawback may be positioning UTM as a
single point of failure (SPOF) in a system or network.
4
Study Guide for NSE 1: Unified Threat Management 2016
(UTM)
Extended UTM Features
One of the key factors that enables specialized UTM products to achieve the highest levels of
performance and boost network throughput is incorporating custom application-specific integrated
circuits (ASICs) into UTM hardware components. As discussed previously in the lesson Data Center
Firewall, using custom-designed ASICs presents a more challenging design process, but the tradeoff is
achieving the highest levels of system performance by having tailored the ASICs to the device
capabilities and intended functions. Even with high-performance ASICs, however, as more UTM
capabilities are activated performance will decrease. As with most highly efficient technologies, planning
and configuration are critical in achieving optimum performance and control when systems and
networks are brought online.
Expanding on the foundation of an integrated firewall, UTM builds additional capabilities to enhance
network security management. With ever-increasing capabilities for data transfers between remote
users, integration of capabilities not resident in NGFW include Data Leak Prevention (DLP) (sometimes
referred to as Data Loss Prevention), helps prevent unauthorized transfer of information to someone
outside an organization by protecting the contents of email, web pages, and transferred files. DLP
provides a strong authentication appliance to control data by methods such as inbound/outbound
filtering and fingerprinting.
DLP filtering scans inbound and outbound files, searching for text string and patterns that, when
compared against the DLP database, determine whether the content will be allowed, blocked, or
archived.
Fingerprinting consists of a method by which each document file is encoded with a unique
“fingerprint”—based on the fingerprint, DLP determines whether the document is a sensitive or
restricted file that should be blocked or if the file is allowed to be shared beyond the network.
DLP has the ability to scan and identify data patterns using supported scanable protocols—for example,
FortiGate systems are capable of detecting HTTP, FTP, SMTP, POP3, IMAP, and instant messaging
protocols for Yahoo, MSN, AOL, and ICQ messaging services[2]. A limitation of DLP, however, is that it is
affected by the same limitations as antivirus scanning—maximum file size, data fragmentation (but not
necessarily packet fragmentation), and encryption—all of which may limit effective data leak detection
and subsequent prevention.
5
Study Guide for NSE 1: Unified Threat Management 2016
(UTM)
Switching. By integrating Switching into UTM, the capability to manage switching is added to single
control console security management. This again reduces the number of physical hardware devices and
control monitors necessary to manage the UTM system. From this integrated control panel, individual
ports can be switched on or off to physically isolate network traffic. This is important, because some
applications attempt to use port 80 to avoid detection from traditional port-based firewall security
systems. Port 80 is the primary port used by the Worldwide Web (WWW) and is how web servers
“listen” for incoming unsecure (HTTP) connections from web browsers. This is a primary port through
which malicious code tries to sneak through via Internet applications. Conversely, secure WWW
connections are monitored through port 443 (HTTPS) using TLS/SSL security protocols.
Wireless LAN (WLAN). Integrating the WLAN into UTM provides more than added economy of
hardware. Integrating WLAN into UTM provides a simplified method to ensure each network on the full
infrastructure—physical, WLAN, and VPN—may be controlled together to maintain consistent security
policies and controls across all networks on the control interface. This approach also detects and
eliminates potential “blind spots” and better prevents unauthorized or rogue wireless access to the
combined network. WLAN is also important for SMB networks where secure wireless coverage must
take the place of non-existent cable-based network connectivity, such as rented small office spaces.
6
Study Guide for NSE 1: Unified Threat Management 2016
(UTM)
With continued increases in mobile computing and BYOD operations, many people in today’s
technologically-empowered workforce expect the ability to replicate their office environment wherever
they happen to be conducting business. Because of the many variables involved in such an endeavor—
variations in available Internet speeds, availability of secured versus open networks, volume of users on
remote networks, the cost of high-speed links, and so forth—a technique needs to be available to
enable effective remote communication for authorized network users. In this situation, a process called
WAN Optimization (WANOpt) is such a technique for use with UTM-empowered network infrastructures
(Figure 3).
WANOpt provides improved application and network performance to authorized remote users through
five primary methods [3]:
Protocol optimization. Improves efficiency of FTP, HTTP, TCP, and other protocols to accelerate
network performance.
Byte caching. Caches files and data to reduce amount of data necessary to be sent across WAN.
Web caching. Stores/caches web pages to serve on request to avoid reloading over the WAN to
reduce latency and delays between servers.
SSL offloading. Offloads SSL decryption/encryption onto SSL acceleration hardware to boost
web server performance.
Secure tunneling. Secures traffic crossing the WAN.
Power over Ethernet (PoE). PoE allows UTM to provide power to external devices, much like legacy
systems such as Universal Serial Bus (USB). With PoE, power can be supplied over Ethernet data cables
along extensive cable lengths, either on the same conductors as data or on a dedicated conductor in the
same cable (Figure 4). USB data + power capabilities are designed for up to 5m (16ft), compared to PoE
capability up to 100m (330ft) or even more with new PoE-plus developments.
UTM applications utilizing PoE enables connection of Wireless Access Points, 3G/4G Extenders, Voice
over Internet Protocol (VoIP) handsets, and IP cameras to the network security platform while keeping
the devices away from system main power supplies. Depending on how it is applied, some advantages of
POE over other technologies include: lower cost because of combined cabling for power and data, ability
to remotely cycle appliance power, and fast data rates.
7
Study Guide for NSE 1: Unified Threat Management 2016
(UTM)
3G/4G. 3G/4G extenders integrate with UTM to provide a secure WAN connection for SMB and
distributed enterprise locations, with ability to serve as a secondary failover connection to the wired
WAN link for business continuity or, if desired, as a primary WAN link.
UTM Functions
UTM provides a number of integrated functions beyond
the scope of NGFW. Two of these important functions
focus on threats inherent in platform capabilities used
daily by users in systems and networks of all sizes, from
personal computers, to smartphones and phablets, to
networks and data center operations and automated
business functions. In particular, these common threats—
which continue also to evolve with technology and more
widespread integration of technology components into
common devices—include email and “Surfing the Web.”
You may have heard on many different commercials—both online and on other media—the phrase “we
have an app for that!” Fortunately, UTM has apps—or solutions—to help protect your networks from
these continually evolving threats.
8
Study Guide for NSE 1: Unified Threat Management 2016
(UTM)
Intrusion Prevention Systems (IPS). IPS performs a dual protection function. In the UTM environment,
IPS protects the internal network from attacks that originate from outside the network perimeter as well
as those that originate from within the network itself. IPS is also discussed as a component of NGFW—in
a UTM solutions environment, the IPS component provides a range of security tools to both detect and
block malicious activity, including:
9
Study Guide for NSE 1: Unified Threat Management 2016
(UTM)
SMB networks. Simple controls and multiple scalable options. Provides option for control and scalable
security for businesses with limited physical space and IT staff, or branch offices where IT policy and
control is managed from a central location (Figure 5).
Distributed enterprise networks. Simultaneous control of wired, VPN, and wireless infrastructure
components, with centralized control with advanced features to effectively run operations up to a global
scale.
10
Study Guide for NSE 1: Unified Threat Management 2016
(UTM)
Like many other sectors of the technology industry, UTM deployment may be accomplished in various
ways. A common method for vendors—following traditional hardware procurement paradigms—was to
license UTM infrastructure based on the amount of devices included in the deployment package. In
other words, the standard was an “a la carte” menu of options.
However, in an effort to provide a better option for organizations wanting to upgrade to the UTM
security model, leading UTM companies developed a new licensing model that more closely reflects the
“bundle” model offered by cable and DSL companies (Figure 6). Fortinet, recognized by Gartner as a
leader in UTM development and implementation along with CheckPoint, offers a “bundle” concept that
includes the purchased hardware, software updates, security feature updates for all included security
components, and system support[2]. This not only provides simplified licensing and reduced costs, but
also enables better future budget planning for UTM system customers.
11
Study Guide for NSE 1: Unified Threat Management 2016
(UTM)
Summary
NGFW improved on the basic gatekeeping security of Edge Firewalls by introducing such features as IPS,
Deep Packet Scanning, Network Application Identification and Control, and Access Enforcement.
However, beyond those capabilities, additional security functions meant additional appliances and
software configurations, increasing operational complexity for the network administrator.
Because increased operational complexity often results in bypassing of processes in the interest of time
or administrator overload, development was needed for a new dynamic vision of a flexible, future-ready
security solution to meet the needs of today’s network environments and keep pace—or think ahead
of—advanced threats of the future. This dynamic, integrated network security concept—Unified Threat
Management (UTM)—is in place today and ready for tomorrow’s evolving challenges.
Overcoming the difficulties of patching together legacy systems with newer, state of the art systems,
UTM brings flexibility, vision, power, and control to networks from SMB to large enterprises that have
international reach. Combining user-simple interfaces with threat-complex protections, as well as cost
effective procurement, operations, and support, UTM provides an optimum system to best ensure
continued network operations in a secure environment.
12
Study Guide for NSE 1: Unified Threat Management 2016
(UTM)
Key Acronyms
AAA Authentication, Authorization, and GUI Graphical User Interface
Accounting
HTML Hypertext Markup Language
AD Active Directory
HTTP Hypertext Transfer Protocol
ADC Application Delivery Controller
HTTPS Hypertext Transfer Protocol Secure
ADN Application Delivery Network
IaaS Infrastructure as a Service
ADOM Administrative Domain
ICMP Internet Control Message Protocol
AM Antimalware
ICSA International Computer Security
API Application Programming Interface Association
APT Advanced Persistent Threat ID Identification
ASIC Application-Specific Integrated Circuit IDC International Data Corporation
ASP Analog Signal Processing IDS Intrusion Detection System
ATP Advanced Threat Protection IM Instant Messaging
AV Antivirus IMAP Internet Message Access Protocol
AV/AM Antivirus/Antimalware IMAPS Internet Message Access Protocol
Secure
BYOD Bring Your Own Device
IoT Internet of Things
CPU Central Processing Unit
IP Internet Protocol
DDoS Distributed Denial of Service
IPS Intrusion Prevention System
DLP Data Leak Prevention
IPSec Internet Protocol Security
DNS Domain Name System
IPTV Internet Protocol Television
DoS Denial of Service
IT Information Technology
DPI Deep Packet Inspection
J2EE Java Platform Enterprise Edition
DSL Digital Subscriber Line
LAN Local Area Network
FTP File Transfer Protocol
LDAP Lightweight Directory Access Protocol
FW Firewall
LLB Link Load Balancing
GB Gigabyte
LOIC Low Orbit Ion Cannon
GbE Gigabit Ethernet
MSP Managed Service Provider
Gbps Gigabits per second
MSSP Managed Security Service Provider
GSLB Global Server Load Balancing
NGFW Next Generation Firewall
13
Study Guide for NSE 1: Unified Threat Management 2016
(UTM)
NSS NSS Labs SNMP Simple Network Management Protocol
OSI Open Systems Infrastructure SPoF Single Point of Failure
OTS Off the Shelf SQL Structured Query Language
PaaS Platform as a Service SSL Secure Socket Layer
PC Personal Computer SWG Secure Web Gateway
PCI DSS Payment Card Industry Data Security SYN Synchronization packet in TCP
Standard
Syslog Standard acronym for Computer
PHP PHP Hypertext Protocol Message Logging
POE Power over Ethernet TCP Transmission Control Protocol
POP3 Post Office Protocol (v3) TCP/IP Transmission Control Protocol/Internet
Protocol (Basic Internet Protocol)
POP3S Post Office Protocol (v3) Secure
TLS Transport Layer Security
QoS Quality of Service
TLS/SSL Transport Layer Security/Secure Socket
Radius Protocol server for UNIX systems Layer Authentication
RDP Remote Desktop Protocol
UDP User Datagram Protocol
SaaS Software as a Service URL Uniform Resource Locator
SDN Software-Defined Network USB Universal Serial Bus
SEG Secure Email Gateway
UTM Unified Threat Management
SFP Small Form-Factor Pluggable VDOM Virtual Domain
SFTP Secure File Transfer Protocol VM Virtual Machine
SIEM Security Information and Event
VoIP Voice over Internet Protocol
Management
VPN Virtual Private Network
SLA Service Level Agreement
WAF Web Application Firewall
SM Security Management
WANOpt Wide Area Network Optimization
SMB Small & Medium Business
WLAN Wireless Local Area Network
SMS Simple Messaging System
WAN Wide Area Network
SMTP Simple Mail Transfer Protocol
XSS Cross-site Scripting
SMTPS Simple Mail Transfer Protocol Secure
14
Study Guide for NSE 1: Unified Threat Management 2016
(UTM)
Glossary
AV/AM. Anti-virus/Anti-malware provides protection against virus, spyware, and other types of
malware attacks in web, email, and file transfer traffic. Responsible for detecting, removing, and
reporting on malicious code. By intercepting and inspecting application-based traffic and content,
antivirus protection ensures that malicious threats hidden within legitimate application content are
identified and removed from data streams before they can cause damage. Using AV/AM protection at
client servers/devices adds an additional layer of security.
NGFW. Next Generation Firewall provides multi-layered capabilities in a single firewall appliance instead
of a basic firewall and numerous add-on appliances. NGFW integrates the capabilities of a traditional
firewall with advanced features including:
• Intrusion Prevention (IPS) • Deep Packet Inspection (DPI) • Network App ID & Control
• Access Enforcement • Distributed Enterprise • “Extra Firewall” Intelligence
Capability
• Third Party Management • VPN • Application Awareness
Compatibility
IPS. Intrusion Prevention System (IPS) protects networks from threats by blocking attacks that might
otherwise take advantage of network vulnerabilities and unpatched systems. IPS may include a wide
range of features that can be used to monitor and block malicious network activity including out-of-
band mode (or one-arm IPS mode, similar to IDS). IPS can be installed at the edge of your network or
within the network core to protect critical business applications from both external and internal attacks.
Spam. Spam is usually considered to be electronic junk mail or junk newsgroup postings. Some people
define spam even more generally as any unsolicited email. Spam is generally email advertising for some
product sent to a mailing list or newsgroup.
UTM. Unified Threat Management (UTM) provides administrators the ability to monitor and manage
multiple, complex security-related applications and infrastructure components through a single
management console. The advantage to UTM is that it goes beyond the NGFW focus of high
performance protection of data centers by incorporating a broader range of security capabilities as
either cloud services or network appliances, integrating:
VPN. Virtual Private Network (VPN) is a network that is constructed by using public wires — usually the
Internet — to connect to a private network, such as a company's internal network. VPNs use
encryption and other security mechanisms to ensure that only authorized users can access the network
and that the data cannot be intercepted.
15
Study Guide for NSE 1: Unified Threat Management 2016
(UTM)
References
1. Rouse, M. Unified Threat Management Devices: Understanding UTM and its Vendors. Essential
Guide, 2014.
2. Tam, K., et al., UTM Security with Fortinet: Mastering FortiOS. 2013, Waltham, MA: Elsevier.
3. Tittel, E., Unified Threat Management for Dummies. 2012, Hoboken, NJ: John Wiley & Sons.
4. Janssen, C., Quality of Service (QoS), in Techopedia.com. n.d.
16